Saturday, 29 November 2014

New measures to safeguard SingPass accounts

By Lester Hio, The Straits Times, 28 Nov 2014

DO NOT panic if you wake up one morning to find you can no longer access your SingPass account.

The Infocomm Development Authority of Singapore (IDA) announced yesterday that it is adding new security features to protect SingPass users against potential hacks and security breaches.

SingPass accounts which have been inactive for more than three years will now have their passwords reset automatically.

The IDA said there are currently about 400,000 inactive accounts out of a total of 3.3 million SingPass accounts.

It has started sending letters to the people holding them to ask them to change their passwords. If nothing is done after 14 days, these accounts will be reset.

The regulator added that it will also reset accounts in which unusual activities are detected.

"We continue to strengthen the SingPass system to protect users and enable them to transact safely online," said Mr Chan Cheow Hoe, assistant chief executive of IDA and the government chief information officer.

Accounts that are reset can be restored by users making an online request for a new password or by visiting SingPass centres.

The issue of cyber security came under the spotlight in June when more than 1,500 SingPass accounts were reset after investigations showed they may have been accessed illegally. The new measures have been put in place as the IDA enhances its e-government services system.

Among other new features being implemented is two-factor authentication for sensitive transactions. Users will get the option of receiving one-time passwords - through SMSes or tokens - similar to practices used by banks.

Mr Chan said it is up to individual government agencies to decide which services will require such authentication, but raised examples such as checking Central Provident Fund (CPF) accounts or filing taxes.

There will also be transaction notifications sent to users after they use government services.

Senior analyst Clement Teo of technology and market research company Forrester said: "Anything involving monetary transactions or transmission of personal data - like CPF - should have these layered security measures."

These new features are on top of existing measures such as prompts to change passwords every two years or to key in a randomly generated security code after a failed login attempt.

Mr Kong Kok Kuan, 27 who runs a tuition centre, said: "My main concern is for the elderly who don't own mobile phones. My 65-year-old mum can't even remember her password - what if she misplaces her token and can't log in?"



No comments:

Post a Comment